Podcast Detail

SANS Stormcast Thursday, July 10th, 2025: Internal CA with ACME; TapJacking on Android; Adobe Patches;

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9520.mp3

previous
next
Podcast Logo
Internal CA with ACME; TapJacking on Android; Adobe Patches;
00:00

Setting up Your Own Certificate Authority for Development: Why and How.
Some tips on setting up your own internal certificate authority using the smallstep CA.
https://isc.sans.edu/diary/Setting%20up%20Your%20Own%20Certificate%20Authority%20for%20Development%3A%20Why%20and%20How./32092

Animation-Driven Tapjacking on Android
Attackers can use a click-jacking like trick to trick victims into clicking on animated transparent dialogs opened from other applications.
https://taptrap.click/usenix25_taptrap_paper.pdf

Adobe Patches
Adobe patched 13 different products yesterday. Most concerning are vulnerabilities in Coldfusion that include code execution and arbitrary file disclosure vulnerabilities.
https://helpx.adobe.com/security/security-bulletin.html

Podcast Transcript

 Hello and welcome to the Thursday, July 10th, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich and this episode brought to you by
 the SANS.edu Graduate Certificate Program in Incident
 Response is recorded in Jacksonville, Florida. In
 diaries today, I just did a quick write-up about setting
 up your own certificate authority for development
 purposes. So this particular write-up doesn't focus on how
 to do it super secure, but how to do it convenient and
 integrate it well with various development tools and
 development websites that you may have, which in particular
 means also integrating it with the ACME protocol. The ACME
 protocol, you may be familiar with it from tools like
 CertBot that are commonly used to retrieve certificates from
 Let's Encrypt. But if you set up your own server authority,
 well, you want to stay simple and use tools like that. Well,
 and you actually can use CertBot. There is an open
 source server authority from SmallStep that implements the
 ACME protocol, relatively straightforward to set up.
 They also have commercial products, but this particular
 product is free and open source and also well
 -documented and not really all that difficult to set up. One
 thing to particular note if you are using your own
 internal server authority is that you're not bound by any
 of the constraints of some of the public server authorities.
 Like, for example, the certificate lifetime, you can
 create longer, shorter certificates, whatever you
 would like. You just have to add that certificate authority
 manually to your operating system or to your browser's
 list of trusted certificate authorities. Also, keep in
 mind that when you're doing this, your certificates will
 not show up in certificate transparency lists. That's
 actually a big advantage for development websites. So
 you're not leaking the names of these websites to the
 world. And researchers from the University in Wien and
 Bayreuth have identified an interesting vulnerability in
 Antroid that reminds me very much of clickjacking and web
 applications. In clickjacking, an attacker would include a
 transparent iframe on their site. That iframe would then
 include some user interface element the attacker would
 like the victim to click on. And then, well, the victim is
 tricked into clicking on that invisible user interface, like
 usually some kind of permission button. This is
 very similar to what's happening here with what they
 call tab trap on Android. In Android, an application may be
 able to interact with other applications, in particular,
 open up certain user interface elements. According to the
 researchers, 70% of the applications they looked at in
 the Google Play Store are vulnerable to this in that
 they don't restrict what the calling application can do to
 the dialogue that is being opened. In particular, the
 calling application may set an animation. That animation
 includes setting the transparency of the dialogue.
 And then you basically have the simple clickjacking again,
 where the user is being tricked into clicking on a
 particular element in that animated window. That window
 is invisible because of the transparency setting. The
 other issue here is that these applications also allow
 interaction with that dialogue while it's being animated. So
 from a defensive point of view, application developers
 need to make sure that any user elements that other
 applications have access to cannot be rendered with a
 custom animation. And you probably also don't want to
 allow the user to interact with that element while it's
 being animated, but wait for the animation to complete. And
 a little bit patch Tuesday cleanup. We also got updates
 from Adobe that I didn't cover yesterday. 13 different
 products here are being updated. The one that I'm sort
 of always paying a little bit attention to is ColdFusion.
 Because of course, that's typically exposed in the form
 of your websites. ColdFusion here addresses a number of
 vulnerabilities that you probably should pay attention
 to. For example, there are a few arbitrary file system read
 vulnerabilities, as well as some remote code execution
 vulnerabilities that you probably should pay attention
 to. Well, and that's it for today. Thanks for listening.
 Thanks for liking, subscribing. And also thanks
 for commenting and leaving comments in like Apple's
 podcast platform about the podcast. And talk to you again
 tomorrow. Bye.